Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

In actuality, it's more the egoist side of human nature. There is someone, somewhere that would likely fix it and recompile. Whether they can get past this idea that their code is their intellectual property and thus, "Someone will have to pay!" will determine if the world can move past such an ego and continue thinking about more important things than a silly exploit.

Well, we don't actually know when the flaw was disclosed. We only know that it was acknowledged to be disclosed recently, but it could have been a while back. However, I don't have a problem with it taking time to do the find, fix and test. The fix for the bug may have ramifications in other parts of the code, and it takes time to check this.

I think people can be a bit unreasonable with their expectations of patch times.

I would rather be a realist labeled a troll than be a shill who is labeled "Insightful". I'd like to also point out that if Microsoft followed the same policy Mozilla used with Flash, every time you launched Firefox, a window would pop up saying "this application has been disabled due to security concerns".

This seems like a very risky strategy to me. If the vulnerability is already in the wild they should be pushing out the fix ASAP. If it's not in the wild they should be keeping details quiet until they can make a proper release.

Hey, if the damned exploit won't run on Linux, then it's not a real exploit, is it? This kind of thing kinda pisses me off. There are all KINDS of neat software out there, that just won't run on Linux. It's definitley not fair. I think it might even be illegal. In today's modern world, no one is supposed to be excluded from anything. Not even nerds!!

Ok, so, since the summary didn't make this clear and I didn't find any explanation in the article, maybe someone on Slashdot can shed some light on this. What took Mozilla so long? It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?

Well, the code surface area exposed is pretty small, and the code is old and stable, but how do you know? Have you checked, ran a fuzzer against it? (Only half joking. The punchline being, you never do know until you go look.)

If it's patched on March 30 then that's just over a month since it was revealed. That's not too bad and better than Microsoft's record as a whole.

No one claims Firefox is perfect (or any browser for that matter) but IE gets more grief because it most certainly has more problems than the rest. If it weren't for competition as well we'd probably still be stuck on IE6 too since MS was quite happy to stop updating IE when they thought they had the market cornered.

Part of the problem with trying to have a sensible discussion on this topic is that so many people do pretty much claim $FOSS_APP is perfect: with enough eyes, all bugs are shallow, yada yada. If a large chunk of your culture and advocacy is based on that sort of foolishness, you're bound to get negative press when inevitably you can't always live up to your own hype.

Even the parent poster seems to be somewhat guilty of this, throwing in a couple of knee-jerk IE bashing responses. Have you actually looked a

Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

Your point, that data can be more valuable than system integrity and is not protected by Linux-style user vs. root access control, is excellent. I just wanted to pick up on this comment:

For me, at least, my personal data is far more important than my OS! Corporate networks may disagree.

Anywhere I've ever worked, the corporate network would agree with you, and strongly. Replacing a compromised machine is just a format and reinstall of a drive image, something Corporate IT do all the time with new machines anyway. On the other hand, losing confidential information about business plans, trade secrets, or God

Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

Agreed. Personally I use Gentoo Hardened [gentoo.org] with PaX and Grsecurity in the kernel plus a hardened toolchain and userspace measures against buffer overflows. That includes things like address randomization, non-executable pages, mprotect() restrictions, etc. Further measures are also available, like capability systems. It's good, though I would not call it "bulletproof", not even if I thought it was.

Really none of this is any substitute for patching known vulnerabilities. What it does provide is a secon

Personally, I just run Arch with the standard security (ASLR, not sure about NX), and use an OpenBSD VM when I need to touch "places" that have a risk for targeted attacks. I even run sudo without password prompting. For hardening Windows boxes, take a look at eEye's products? Frankly, however, I don't know about exploitation prevention frameworks/apps on Windows (other than signature-based IDS) either.

I'd be interested in knowing what options are available for similarly hardening Windows. What I'd really like to see is for the average system to become difficult enough to compromise that there is no longer fertile ground for automated attacks and the botnets that follow. I think that's achievable too, if we really wanted to do it.

The nice part is that almost all of the security settings are trivially deployed via Active Directory and GPOs. Deploying Linux security settings in a corporate environment generally involves rolling your own scripts and distribution methods.

I run Firefox sandboxed from within SandboxIE on my Windows XP computer. SandboxIE builds a virtual sandbox around the default browser on a computer. In addition, my computer is set up to where I am normally logged in with a user name. I only log in as administrator, when needed. I also use the NoScript and Adblock Plus extensions for Firefox. I only enable the running of scripts for certain Websites that I trust. Perhaps, those measures might help, but I am not a computer expert and do not know for sure.I

Why are companies so unwilling to micro-patch their software? If Mozilla has a fix NOW, why are they waiting another ~2 weeks to push it out with the next minor upgrade? Just to avoid making users upgrade too often?

QA. New releases need to go through QA anyway to make sure they haven't botched anything up.

Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.

I'm asking why companies insist on patching 20-30 things all at the same time, surely it is easier to test for regressions when you're only including a single patch? Why can't you patch, test, release, and move on to the next problem?

I interviewed with Mozilla a few years back when they were looking for a Release Engineer. I think you underestimate the amount of work that goes into producing a release. Firefox is released in 70+ languages for 3 platforms. On top of this they release upgrade versions and not just full binaries, which of course is different for each platform. So you're looking at around 420+ different versions. There are also branded versions as well, which adds even more versions.

First of all I think you need a timeline to help you understand how this vulnerability was handled:

Feb 1st, 2010: VulnDisco is updated with a zero day exploit for Firefox 3.6. No details on how the exploit works are provided. The exploit is only available in binary form when you buy a copy of VulnDisco. Some people buy VulnDisco and have difficulty in making the exploit work. https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/ [immunityinc.com]

I'm asking why companies insist on patching 20-30 things all at the same time, surely it is easier to test for regressions when you're only including a single patch? Why can't you patch, test, release, and move on to the next problem?

Isn't this what MS does with their micro-patch KB fixes?

Because you'd be running the test case 20-30 times? And people really, really, really hate updating their software hourly?

That means for each patch they have to go through a whole release test of the software,

Surely the QA should not take that long though. There are plenty of people willing to test the code.

Microsoft uses the excuse that they need to test every language on every OS version in every configuration but what is worse - breaking the Hungarian version on Windows XP SP2 or leaving everyone with an unpatched critical vulnerability for weeks?

Are there? The number of people testing your typical Firefox minor release is about an order of magnitude lower than the number of people testing bleeding-edge Firefox trunk last I checked. And it's at least two orders of magnitude lower than the number of people testing a major release beta.

If you talk to the Mozilla QA and release folks, one of their big problems is in fact the lack of minor release testers...

When a flaw is found they have to find how to fix it, write the code to fix it and the test it (so they're not left with a flaw due to the fix) and that isn't just a case of opening Firefox on one computer. They have numerous versions to test for.

I'm not sur eif the fix was pushed out already because this week I've have updates cropping up for all my instances of Firefox at home and work. So either they're early or I'll get another one on the 30th. Either way, they're clearly doing their best.

I guess that it's because it costs a ton of bandwidth (and thus money) to make a patch available.Mozilla's patch system is pretty ugly, since it needs to download 3 megabytes for a few bytes changed.

And NO, it doesn't have anything to do with validating the patch, since it's very easy to check that the behaviour doesn't change, especially when the impact is very small.Microsoft uses the "we need some time to check the patch" because they have to maintain a lot of differents versions of their OS.

If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.

If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.

In Linux world, it’s normal that the packages you get via your package manager have custom patches in them. So we get the fixes ASAP anyway. (Of course Windows, being the Playmobil OS that is is, lacks a general package manager.)

But I also wonder why they don’t just shove the minor updates in patch form trough their update functionality. Just like addons can get updated every time you start Firefox. It would be what? A a couple of bytes?

If the upgrade could happen silently and without any user notification (which is what Chrome is working and and what Mozilla would like to get to), that may be acceptable. But even just telling the user three times a day "hey, I just updated" i

Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/ [secunia.com]. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.

Secunia: omfg Firefox has a vulnerability!!!Mozilla: ok so what are the specifics?Secunia:...Mozilla: Hello?Secunia:... Mozilla: Anyone?Secunia a few days ago: Right then... here are the details...Mozilla: *patched beta*

Of course. You have to build up the correct suspension first, if you're not going the "surprise proof-of-concept 05.00 in the morning" route. It's just how these things are done.People just have no respect for good professional showmanship.

Secunia: omfg Firefox has a vulnerability!!!Mozilla: ok so what are the specifics?Secunia:... (puts it on black hat exploit auctions)Mozilla: Hello?Secunia:... (sells it to the highest bidders)Mozilla: Anyone?Secunia a few days ago: Right then... here are the details... (Milked it enough)Mozilla: *patched beta*

Microsoft has a proven track record of ill will, negligence and general contempt for its customers. Therefor it is generally met with suspicion and distrust and has to proof there case every time because of it.

Karma is a bitch.

I dunno I don't think they are as bad as MS but i'm not sure I trust either the firefox codebase or the mozilla guys.

The memory "leak" saga and the fact that afaict they don't treat all crash bugs as high priority becausue they are potential vulnerabilities (until you figure out what causes a crash you don't know if it's exploitable) don't exactly inspire confidence. Neither does delaying an exploit to the next regular release rather than adding the fix to the latest current release and making release ASAP

<humor>There appears to be a critical vulnerability in your logic and why did you not fix it before you posted? Were you not aware of it? Did you not research the problem and preview before submitting a solution? As a result, you created a second and worse vulnerability.</humor>
As others have pointed out, there is already a patch and I have looked at it myself.

Congratulations, you just encourage it. Twice, and with multiple replies. The moderation system is designed to account for this stuff. It's designed so you just need a single person with a single mod point to mark it as troll or flamebait, cleaning up the comments for others.

The only thing you've said that makes sense is filtering multiple copies of things. Everything else is heavy-handed censorship type stuff. Police involved for being racist? That's excessive.

With the language the same in every single post, why doesn't slashdot just filter this out to the garbage before it gets posted.

Yes, because no-one would change a word or two in their post or do variations on the spelling. Yay, we get to have another lameness-filter style arms race, that'll improve the quality of the posts.

Maybe we should have a "-1 hate crime" mod, and the overlords can determine what to do with it. As it is, I only see myself or other mods pushing it down, thus wasting one of my mod points whereas I can be modding someone "+1 interesting" instead.

Maybe you should grow a skin and realize that you can't win this kind of pissing contest with griefers.

Seriously, just ignore it.

This very moment, some guy in his mom's basement has his pants down fwapping away to your outrage. You've provided motivation for gods know how many more cut'n'paste trolls, because you

good - wasting time commenting on this stuff keeps them motivated to post.

that said, after reading your comment, I had to see what the fuss was about.. I found it quite amusing really. Well, no less amusing that "installing boyfriend 2.0" or "upgrading girlfriend to wife", or any Irish, Polish, or random celebrity jokes that no-one seems to have a problem with. (I'm not American so I don't have the same 'horror' of the N word BTW, round here it's the C word that's the 'uh-oh' one).

Yeah, these copypasta trolls are tedious and annoying, but this guy is no worse than the tron fanzine guy, the library shit-eater, and the GNAA's broken Markov chain that posts the goatse links. He's just another retard.

Apart from what the SP says, that doesn't mean that hate speech laws are a good thing. Haven't you heard the saying "sticks and stones may break my bones, but words shall never hurt me"? That sort of post isn't libellous, slanderous, or defamatory, because it wouldn't actually harm anyone's opinion of either a specific black person or black people in general (anyone who would take it seriously would already believe that crap), and there is no measurable harm done by it.

There are serious pros and cons one has to weigh choosing an implementation language for a project on the scale and the types of requirements that firefox has. I'm pretty sure your only serious contender in the list was Java and it has significant baggage all of its own. I'll take C/C++, I just wish programmers had a passion for better code in all of its aspects including the ever present yet most fundamental buffer overflow bugs.

I can't believe my first comment got modded down twice as flamebait; slashdot has really descended technically, apparently, to judge so poorly what is a serious technical comment by someone who has been programming for about thirty years (and who even taught C at the university level and has used C++ extensively in the past, including at IBM Research).

So sad to put a little performance (and questionably) these days ahead of security as well as ease of programming, extendability, and maintainability.

I majored in java (and I really do love java) but I now work in perl. So, certainly, it sounds like you'd be in a better spot to judge what would be the best implementation language. Also just noticed your low uid!

You really think firefox should've been developed in java? I would've thought it would be problematic for that type of project that needed portability, minimal footprint (no jvm), and perhaps lack of an environment that might promote over-engineering?

A lot of these issues are relative to your priorities and also technical change. What does "minimal footprint" mean these days on eight core Mac Pro with tens of Gigabytes of memory, and where most of the memory is used by cached pages of a web browser, not the application itself? There is a value to Firefox being in C++ from the standpoint of it being embedded somehow in other C++ applications (including embedded software) -- although, on the flip side, it makes it difficult to embed it in Java application

Include support for foreign resources in ELFs in the kernel, along with VFS directives for presenting the resources, and soft link all the compile time options (probably needs LLVM) in to one binary, just store the diffs, that don't have to be recalculated every time.